Check permissions before handling wallposts and showing walls
Summary
Currently, the code that checks permissions before posting a wallpost only works for the foodsaver, question and fairteiler walls. The code that checks if you may read a wall just returns true for fairteilers. For most cases, code that can perform permission checks is implemented in the gateway or model classes of the corresponding walls. It just has to be called there.
Steps to reproduce
Log in with an account that has access to a problematic wall. Copy the URL, then log out and then visit the URL you just copied.
What is the current bug behavior?
You can view and modify the wall as if you where logged in. Depending on the wall, only bell notifications won't be sent, as the code that sends bell notifications checks permissions.
What is the expected correct behavior?
The user has to be kicked out with a 403 if not logged in. Or at least be nicely informed that she or he must be logged in in order to view the page.
Possible fixes
WallPostPermissions::mayReadWall and WallPostPermission::mayWriteWall have to be extended to check the permissions for all cases. l39 must not return true in all cases. WallPostPermission will need to hold a few model classes for that, as some of the permission logic depends on the database. I don't like this idea, as it makes WallPostPermissions have many dependencies to some classes only for one method and this feels wrong, but I don't have a better solution.
Current Status
!1353 (merged) is the first of probably a bunch of MRs in order to fix this. Following table should make it easier to keep track of progress:
Wall | Where to find | Requirements to read | Verified working on Beta |
---|---|---|---|
foodsaver | /profile/fsid | Signed up + logged in | |
bezirk | ?page=bezirk&bid=1305&sub=wall | Member of a working group | |
event | ?page=event&id=14744 | Public event: logged in; Other events: Member of region or invited | |
fairteiler | ?page=fairteiler&bid=21&sub=ft&id=67 | None | |
question | ? | ||
usernotes | /profile/fsid/notes/ | Orga | |
fsreport | ? | ||
application | ?page=application&bid=899&fid=151135 | Workgroup admin | |
? | ? |